Skip to content

fix(auth): authenticate generateIdToken requests with base credentials#19941

Open
toga4 wants to merge 2 commits into
googleapis:mainfrom
toga4:fix-idtoken-unauthenticated-generateidtoken
Open

fix(auth): authenticate generateIdToken requests with base credentials#19941
toga4 wants to merge 2 commits into
googleapis:mainfrom
toga4:fix-idtoken-unauthenticated-generateidtoken

Conversation

@toga4

@toga4 toga4 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

When the Application Default Credentials are an external_account or impersonated_service_account configuration, idtoken.NewCredentials sends the generateIdToken request without an Authorization header and the IAM Credentials API rejects it with 401 CREDENTIALS_MISSING.

credsFromDefault always passed a default unauthenticated client to impersonate.IDTokenOptions, and impersonate.NewIDTokenCredentials builds an authenticated client from the provided credentials only when the client is nil.
As a result, the non-impersonated base credentials introduced in #14474 never authenticated the generateIdToken request.

This change passes the user-provided client through as-is, so that impersonate.NewIDTokenCredentials builds a client authenticated with the base credentials when no client is provided.
The added regression test replaces http.DefaultTransport to route all requests to a local test server and asserts that the generateIdToken request carries an Authorization header derived from the base credentials.

Fixes #19939

@toga4 toga4 requested review from a team as code owners June 10, 2026 02:06
@google-cla

google-cla Bot commented Jun 10, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 10, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request ensures that when a client is not provided, the ID token credentials are built using a client authenticated with the base credentials, resolving an issue with unauthenticated default clients. It also introduces a regression test for this scenario. The review feedback recommends updating the test's custom dialer to use DialContext instead of net.Dial to ensure context cancellation is respected and prevent potential test hangs.

Comment thread auth/credentials/idtoken/idtoken_test.go
@toga4
fix(auth): authenticate generateIdToken requests with base credentials
2d52e22 
idtoken.NewCredentials always passed a default unauthenticated client to impersonate.IDTokenOptions for external_account and impersonated_service_account credentials.
impersonate.NewIDTokenCredentials uses a non-nil client verbatim, so the base credentials never authenticated the generateIdToken request and the IAM Credentials API rejected it with 401 CREDENTIALS_MISSING.

Fixes googleapis#19939
@toga4 toga4 force-pushed the fix-idtoken-unauthenticated-generateidtoken branch from 84c8fec to 2d52e22 Compare June 10, 2026 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@toga4